OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sarif] Intro

     Thanks very much, Charles, and welcome!

					David

On 9/26/22 10:23, Charles Wilson wrote:

I ran into Dee at Black Hat and mentioned my work. She indicated that SARIF was under active discussion, so here I am.

I've been working on the development and documentation of a modern cybersecurity development lifecycle that incorporates the lessons learned since Microsoft introduced their SDL about twenty years ago. Part of that work included recommended automation via information exchange formats. Static analysis of course recommends SARIF, but it is also recommended for other use cases (with extensions). These use cases include: threat modeling, dynamic analysis, fuzz testing, penetration testing, and attack surface analysis.

I'm hoping the group will find these informative. I also presume, that we've missed appropriate use of SARIF and we'll need to make corrections. The intent is to be able to validate as SARIF generally and also validate using a specialized schema.

The general link to the work (AVCDL) is:
https://github.com/nutonomy/AVCDL

with specific links to the use cases mentioned as follows:

Threat modeling
https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Threat%20Modeling%20Report.pdf

Fuzz testing
https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Fuzz%20Testing%20Report.pdf

Static analysis
https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Static%20Analysis%20Report.pdf

Dynamic analysis
https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Dynamic%20Analysis%20Report.pdf

Penetration testing
https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Penetration%20Testing%20Report.pdf

Since SBOM came up in the last call, here's my take. You'll note it to be far more end-to-end than most discussions.

https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/elaboration_documents/Software%20Bill%20of%20Materials%20Lifecycle.pdf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]